Tagmap takes security seriously and follows the best security practices where possible.

Security Bugs

If you have found a bug please send an email to security@ this domain (or use our feedback form) with information on how to reproduce it and why it poses a security risk.

If your bug matches our criteria for security-critical status you may have your name added to this page as our way of saying thanks. Severe bugs may be eligible for a financial (USD) reward as well, depending on their severity and feasibility, although this is at our own discretion, and no guarantees are made. An example of a severe bug would be remote code execution or complete database exfiltration.

Guidelines for security researchers

If you are a security researcher and intend to responsibly report any issues to us via the above method, please be respectful and follow common standards when using our services. If you create an account for the purpose of security research, please start its username with 'securitytest'. Do not engage in activities that could harm Tagmap or any of its users, including the deletion of data, accessing private user data, DDoS attacks, spamming, etc. The ability to quickly create many accounts, tags, or messages (spamming) or to otherwise disrupt user experience is not considered a security bug, so please be kind and ensure your actions do no harm before proceeding. The ability to perform client-side XSS (Self-XSS) is also not considered a bug; you must be able to force a different user's browser to execute untrusted Javascript in order for this to be a security bug. The use of automated vulnerability scanners is also prohibited.


The following items are not considered security bugs. This list is not exhaustive.

  • The ability to set a fake location or create multiple user accounts
  • The ability to perform client-side/reflected XSS that is only shown to yourself
  • The long length of user sessions and persistence of these sessions through account information changes
  • Potentially sub-optimal HTTP headers or DNS records such as no implementation of HPKP or usage of SPF soft failures
  • Anything out-of-scope of Tagmap's software and supporting infrastructure, including DDoS attacks

Additional information

Tagmap is hosted using Amazon AWS. All user data is protected in-transit by strong encryption (TLS/HTTPS) using best practices (secure ciphers with HSTS and insecure connections disallowed). Confidential user information such as passwords are hashed securely using bcrypt. Many other industry-standard security practices are in use such as two-factor authentication for administration, whitelisted firewalling, isolation/separation of privileges, etc.

Publicity of account information

Keep in mind that all information added to your profile is public (excluding email, password, and with locations shown as approximations) unless otherwise specified (such as by setting your profile visibility to hidden). Only add information that you are okay with being made public. If you are concerned about the publicity of your location, please ensure your location is set a comfortable distance away from where you live, such as several miles away.

Special thanks to

Included in this section are the names of individuals who have reported a security issue to Tagmap that resulted in a patch. Thank you for your contribution to security.

  • Alwoares